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A COMMUNICATION SYSTEM US ING__ QUANTUM CRYPTOGRAPHY AND 
COMPRISING RWTTHHTMn STATIONS 

The invention relates to a communication sys- 
tem using quantum cryptography , comprising subscriber 
stations which are connected to quantum channels and 
quantum-cryptographic devices which are associated with 
the quantum channels for generating a quantum key. 

Quantum cryptography employs quantum-physical ef- 
fects so as to generate a more or less interception- 
safe key between communication partners, cf . e.g., N. 
Gisin, G. Ribordy, W. Tittel, H. Zbinden, "Quantum 
Cryptography" , Reviews of Modern Physics, Vol. 74, Jan. 
2002, pp. 145-195, or A. Karlsson et al., "Quantum 
Cryptography-From Single-Photon Transmission, Key Ex- 
traction Methods to Novel Quantum Information Proto- 
cols", Evolutionary Computation, 1999; CEC 99; Proceed- 
ings of the 1999 Congress, Vol. 3, 6-9, July 1999, pp. 
2247-2254. In detail, in the case of quantum cryptogra- 
phy, photons containing quantum information are ex- 
changed between two partners. The two partners measure 
certain properties of these photons, such as, e.g., the 
plane of polarization, obtain the same measurement re- 
sults and therefore can construct an identical quantum 
key. In doing so, parts of the measurement results, 
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such as, e.g., the exact points of time, are exchanged 
via public channels. In this manner, the two partners 
are capable of exactly associating the individual meas- 
urements to each other. 

In principle, there exist two methods for this, 
i.e. one using single photons and another one using in- 
terlaced photons. In case of the single photon method, 
a partner generates a sequence of single photons which 
are sent through a polarizer having a plane of polari- 
zation which is varied at random. The setting of the 
polarizer is transmitted to the other partner. If then 
a photon is registered by this other partner, also its 
plane of polarization is clearly determined. However, 
with this method it must be ensured that in fact only 
one single photon each is generated, since in case of 
several photons of the same polarization, a photon 
could be intercepted by a third party. 

With the method of interlaced photons, two photons 
containing the same quantum information are generated 
simultaneously by a special technique. One photon each 
is sent to one of the two partners so that the two 
partners simultaneously will receive an identical meas- 
urement result and thus, each can construct the same 
quantum key for him/herself. 
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When generating the quantum key, the photons can 
be exchanged e.g. via a fiberglass connection, or also 
via a direct visual communication between two tele- 
scopes etc. Set-ups used so far have employed these fi- 
berglass connections or direct visual connections for 
communication purposes employing the quantum cryptogra- 
phy described. In doing so, it is a disadvantage that 
the connections can be set up only over relatively 
short distances, e.g. only a few kilometers, for ena- 
bling the transmission of the photons, so that the use 
of the quantum cryptography so far has been restricted 
to partner stations of short distances only. Moreover, 
the devices for the fiberglass connection or free space 
(line of sight) connection are also relatively expen- 
sive, and it would be desirable to be able to use known 
low-cost connections, in particular devices which al- 
ready exist, for the encoded communication. 

Therefore, it is an object of the invention to 
provide a technique by which the described secure quan- 
tum key can be generated and utilized in a rational 
manner, wherein, however, later on large transmission 
ranges are possible and, moreover, low-cost public 
lines can be used for communication - yet without nega- 
tively affecting the security achieved by quantum cryp- 
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tography. In doing so, the communication shall not be 
bound to certain cryptographic algorithms, and it shall 
be possible to supplement or replace, respectively, 
cryptographic algorithms in an existing system at any 
time . 

The communication system according to the inven- 
tion and of the initially defined type is characterized 
in that several interconnected switching stations are 
provided to which the subscriber stations are connected 
via the quantum channels for generating a respective 
temporary quantum key. 

In the technique according to the invention it is 
not necessary that the two communication partners each 
directly exchange a secure key, much rather one quantum 
key each is generated between a communication partner - 
i.e. a subscriber station - and a switching station, a 
"site of trust". Each switching station thus can have 
an associated zone in which associated subscriber sta- 
tions are present which are connected to the associated 
switching station via comparatively short quantum chan- 
nels (e.g. the previously mentioned fiberglass lines or 
free space connections with telescopes) . The switching 
stations then are interconnected via conventional chan- 
nels which are designed to be secure against eavesdrop- 
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ping in any manner known per se, such as by encryptions 
agreed upon. By the fact that now the subscriber sta- 
tions, or communication partners, respectively, no 
longer need exchange keys directly via a secure chan- 
nel, also subscriber stations which are very remote 
from each other will be able to communicate with each 
other with the high degree of security ensured by quan- 
tum cryptography, using public connecting lines. For 
such a communication, substantially three steps are re- 
quired, i.e. first, the request from a first subscriber 
station for establishing the communication; then, sec- 
ondly, the set-up of the secure communication, generat- 
ing the quantum key; and, thirdly, the actual communi- 
cation between the subscriber stations using the quan- 
tum key previously generated. 

In the technique according to the invention, it is 
also particularly advantageous that the subscriber sta- 
tions can be equipped with relatively simple quantum- 
cryptographic devices, whereas the complex devices can 
be concentrated in the switching stations. Accordingly, 
it is advantageous if the switching stations contain a 
source of photons as quantum-cryptographic device as 
well as also a photon detector, in case interlaced pho- 
tons are used. On the other hand, the subscriber sta- 
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tions may merely contain a photon detection device. 
Thus, the photon source will only be present at the 
switching stations, and at the subscriber stations the 
technical means for detecting the photons will suffice. 

As has been mentioned, always a separate quantum 
key is generated between the subscriber stations (com- 
munication partners) and their associated switching 
station. If both subscriber stations were connected to 
one and the same switching station via their quantum 
channels, with the technique according to the inven- 
tion, the two quantum keys nevertheless also will be 
generated independently of each other, even if this ba- 
sically were not required, for instance when using in- 
terlaced photons. In this manner, always the same pro- 
tocols and the same methods can be used for error cor- 
rection . 

The switching stations can be interconnected in a 
manner known per se in switching technique, at least 
partially in the form of point-to-point links, or also 
in the form of a hierarchy. 

With the technique according to the invention it 
is advantageous that the quantum channels need only be 
used in the course of generating the quantum keys, and 
as soon as the quantum keys have been generated, the 
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communication partners can also communicate with each 
other in a conventional manner. Accordingly, it is 
suitable if the subscriber stations communicate via 
public lines, using the quantum key generated via the 
switching stations. In this manner, the quantum lines, 
or quantum channels, respectively, which as such are 
very expensive, are kept free and utilized for the 
quantum key generation only, and for the subsequent 
communication, using the quantum keys, conventional 
lines, or channels, respectively, can be used, such as 
telephone lines, radio links or the like links. 

As has previously been mentioned, it is preferably 
provided for a quantum key to be generated between each 
subscriber station and the associated switching sta- 
tion, and accordingly, a preferred embodiment of the 
communication system according to the invention pro- 
vides for the subscriber stations engaged in the de- 
sired communication to generate a separate - respective 
first or second - key bit sequence with their associ- 
ated switching station via the quantum channel after a 
request for a communication has been transmitted via 
the respective switching station. Here, it is further 
suitable if the switching station associated with the 
called subscriber station generates a third key bit se- 



quence from the key bit sequences generated via the 
quantum channels, and transmits this third key bit se- 
quence to the called subscriber station which, using 
its known second key bit sequence generated by it with 
the associated switching station, from the third key 
bit sequence generates the - on the side of the calling 
subscriber station - first - key bit sequence which 
then finally is used as a mutual key for the communica- 
tion between the subscriber stations. 

For security reasons, it is furthermore preferably 
to be provided that when ending the communication, the 
quantum key generated for this communication is dis- 
carded. 

It has been known that when measuring the photon 
properties, the information of the respective photon is 
destroyed. Therefore, if an unauthorized third party 
intercepts information by measurement, it is thus pre- 
vented that the authorized communication partner will 
receive the correct information. By comparing parts of 
the measurement between the two authorized communica- 
tion partners, it can therefore undoubtedly be deter- 
mined whether or not a non-authorized third party has 
been intercepting. Therefore, according to the inven- 
tion it is particularly suitable if the quantum key 
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generated is checked for its freedom from interference, 
and if, as a consequence of a possible interference de- 
tected which is associated with an eavesdropping, the 
established communication is disrupted and the key is 
discarded. 

As has already been mentioned, the stationarily 
set-up switching stations can communicate with each 
other via conventional, in particular public lines, us- 
ing the encryption agreed upon. 

Finally, for security reasons as well as for 
checking the authorizations, it may advantageously be 
provided that prior to the establishment of a communi- 
cation between subscriber stations, data transmitted 
from the latter to the respective switching station and 
specific for them, such as, e.g., authentication data, 
are checked by the respective switching station. 

In the following, the invention will be explained 
in more detail by way of particularly preferred exem- 
plary embodiments to which, however, it shall not be 
restricted, and with reference to the accompanying 
drawings. In detail, in the drawings, 

Fig. 1 schematically shows the set-up of an 
inventive system with switching stations and respective 
associated subscriber stations; 
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Fig. 2 shows a hierarchical model for intercon- 
necting the individual switching stations; 

Fig. 3 shows a node-to-node model for connecting 
the switching stations, as an alternative to Fig. 2; 

Fig. 4 schematically shows the essential quantum 
cryptographic devices in a switching station and in a 
subscriber station, respectively, in a type of block 
diagram, here for the instance of producing interlaced 
photons; 

Fig. 5A shows a diagram for illustrating the se- 
quence in case of a request for setting up a communica- 
tion through a subscriber station, a resource-oriented 
set-up being made here; 

Fig. 5B shows a diagram for the sequence in case 
of a request for a speed-oriented communication set-up, 
as an alternative to Fig. 5A; 

Fig. 6 shows a diagram for illustrating the set-up 
of the secure communication in case of the communica- 
tion requirements according to Figs. 5A and 5B, respec- 
tively; 

Figs. 7A and 7B show in a manner corresponding to 
Figs. 5A and 5B the situation in which the requesting 
subscriber station and the requested subscriber station 
are associated to one and the same switching station, 



and this once more for the case of the resource- 
oriented communication set up (Fig. 7A) and for the 
case of the speed-oriented communication set-up (Fig. 
7B) , respectively; 

Fig. 8 shows a diagram pertaining to Figs. 7A and 
7B for illustrating the set-up of the secure communica- 
tion between the two subscriber stations which here are 
connected to one and the same switching station; 

Fig. 9 shows a flow chart for illustrating the 
steps at a request for a communication set-up includ- 
ing two switching stations; 

Fig. 10 shows an associated flow chart for illus- 
trating the set-up of the secure communication there- 
for; 

Fig. 11, for the sake of completeness, shows a 
flow chart for illustrating the procedures at a request 
for a communication set-up if only one switching sta- 
tion is involved; 

Fig. 12 shows the flow chart associated to Fig. 11 
for illustrating the set-up of the secure communica- 
tion, if only one switching station is involved; and 

Fig. 13 shows a flow chart for illustrating the 
generation of a key bit sequence between a subscriber 
station and a switching station. 



In Fig. 1, a communication system including fixed 
switching stations 1, 2.. is shown schematically, 
wherein one or more subscriber stations are connected 
to each switching station 1, 2, e.g. the subscriber 
stations 1.1, 1.2, .., l.i .., l.m are connected to the 
switching station 1 , and the subscriber stations 2.1, 
2.2., .., 2.i, .., 2.n are connected to the switching 
station 2, via quantum channels 3. (By "quantum chan- 
nel'' as such the combination both of the line required 
for the quantum cryptography for exchanging photons and 
of a public line is to be understood.) Moreover, the 
subscriber stations l.i, 2.i, .. are interconnected via 
public lines 4. The switching stations 1, 2 . . may be 
interconnected in various ways, as will be explained in 
more detail hereinafter by way of Figs. 2 and 3. It is, 
of course, also conceivable that only one fixed sub- 
scriber station is connected to a switching station 1, 
2 via a quantum channel or a quantum line 3, respec- 
tively, and the respective connected subscriber sta- 
tions form a node zone or "trust zone" l f , or 2 1 , re- 
spectively, associated with the respective switching 
station 1, 2. Via the quantum channels 3, the quantum 
keys required for the respective secure communication 
are generated in common by the respective subscriber 
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station and the associated switching station, and the 
subsequent communication using this quantum key takes 
place via the public lines 4. Thus, the switching sta- 
tions 1, 2 have the function of generating the secure 
quantum key together with the subscriber stations l.i, 
2.i, and to ensure the presence of one and the same key 
on both communication sides, i.e. at both subscriber 
stations engaged in a communication with each other. 
The switching stations 1, 2.. are interconnected via 
public lines, dedicated lines or the like channels 5, 
an encryption, however, being provided for the communi- 
cation between the switching stations 1, 2 to thus make 
the information exchange during the key generation se- 
cure also from this side. Thus, the switching stations 
1, 2 form "points of trust", wherein the switching sta- 
tions 1, 2 communicating with each other - depending on 
the architecture - must have exchanged a key. 

The set-up of the network with the switching sta- 
tions 1, 2 can be provided in different, per se conven- 
tional, ways, two possibilities being illustrated as 
examples in Figs. 2 and 3. In Fig. 2, a hierarchical 
model is shown, wherein the connection between the two 
switching stations 1, 2 (cf. also Fig. 1) is effected 
via a hierarchical structure, at first ascending, then 
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descending again, via switching stations 6, 7, 8, 9. 

According to Fig. 3, each of the switching sta- 
tions 1, 2, 6', 7' shown there can directly communicate 
with each other, i.e. this is a so-called point-to- 
point model. However, the concrete way of the connec- 
tion between the switching stations 1, 2 is of no fur- 
ther relevance for the function of the present communi- 
cation system using quantum cryptography. It is only 
essential that for providing a secure, quantum crypto- 
graphically encoded communication between subscriber 
stations l.i, 2.i, such switching stations 1, 2 are in- 
volved, with these switching stations 1, 2 being inter- 
connected in a secure way so that the key bit sequences 
(so-called streams), required for generating the key on 
the side of both subscriber stations involved in a com- 
munication, can be exchanged via the quantum channels 3 
which, due to the technical circumstances necessarily 
are short, and via the switching stations 1, 2 etc.; 
with a view to this, the subscriber stations l.i, 2.i 
may also be provided at arbitrary, large distances from 
each other. With this, a communication employing quan- 
tum cryptography is enabled between subscriber sta- 
tions l.i, 2.i very far from each other, i.e. without 
being restricted to the short distances as hitherto re- 
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quired by the quantum channels 3 given by optical fiber 
lines or by line of sight connections realized by means 
of a telescope. 

For a better understanding, the principle of quan- 
tum cryptography known per se shall be explained in 
short by way of Fig. 4. Due to the particular "random- 
ness" of certain properties of photons used therein, 
quantum cryptography is highly secure. In quantum cryp- 
tography, photons comprising quantum information are 
exchanged between two partners. Both partners measure 
certain properties of these photons (e.g. the plane of 
polarization) , obtain the same measurement results, and 
therefore are able to build up an identical key. In do- 
ing so, parts of the measurement results - e.g., the 
exact points of time - are exchanged via public chan- 
nels. By this, both partners are able to exactly asso- 
ciate the individual measurements. 

By the measurement, the information of the single 
photon is destroyed, therefore always only one recipi- 
ent of a photon can carry out the measurement. On ac- 
count of the laws of quantum physics, photons having 
defined properties cannot be artificially produced. A 
third partner who intercepts the information by meas- 
urement will thus prevent the authorized partner from 
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receiving the correct information. Therefore, by com- 
paring parts of the measurement between the two author- 
ized communication partners it can unambiguously be de- 
termined whether or not a third party has been inter- 
cepting . 

In principle, it is distinguished between two 
methods : 

(1) Single photons: A partner generates a sequence of 
single photons which he sends through a polarizer whose 
plane of polarization is randomly varied. The setting 
of the polarizer is transmitted. If a photon is regis- 
tered by the other partner, its plane of polarization 
thus is clearly determined. It must, however, be en- 
sured that in fact only a single photon is generated, 
because in case of several photons of the same polari- 
zation, one of the photons could be intercepted by a 
third party. 

(2) Interlaced photons (so-called "qubits") : By special 
methods, two photons are produced simultaneously which 
contain the same quantum information. Each photon is 
sent to one of the two partners so that the partners 
simultaneously receive the identical measurement result 
and thus can build up an identical key. 

In classical quantum cryptography, it is assumed 
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that photons are exchanged between the two communica- 
tion partners. These photons are derived from a source 
which - depending on the method chosen, is either di- 
rectly arranged at one of the two communication part- 
ners (single photon method) or between the two partners 
(interlaced photons) . 

Within the scope of the invention, it is suffi- 
cient that the source of photons is only installed at 
one of the two communication partners, i.e. in particu- 
lar at the switching station, e.g. 1. Thus, in the 
switching station 1 both the source of photons and - 
when using qubits - also a photon detector is present. 
In the subscriber station, e.g. l.i, then merely the 
technical prerequisites for detecting the photons are 
necessary. 

Accordingly, in Fig. 4 the switching station 1 is 
shown by way of example, which, as has been mentioned, 
is connected with associated subscriber stations, in 
particular the subscriber station l.i, via a quantum 
channel 3, a source of photon pairs 10 being provided 
in the switching station 1. Via an internal quantum 
line 3', this photon pair source 10 is further con- 
nected to a photon detector 11 within the switching 
station 1; a correspondingly designed detector 11' is 



present in the subscriber station l.i, and subsequently 
always one detector, 11 e.g., will be explained with 
reference to components 12 to 18 which have the same 
reference numbers for both detectors 11, 11'. 

The detector, 11, e.g., comprises an active polar- 
izer 12 on its input side, to which an appropriate ad- 
justment signal is supplied via a control unit 13. Then 
the photon gets to a polarizing beam divider 14 which 
is followed by two avalanche photodiodes 15, 16 to the 
outputs of which an analyzing unit 17, e.g. a time in- 
terval analyzer, is connected. Besides, the further 
common communications control units are comprised to- 
gether with a circuit module 18 . 

The photon pair source 10 may be set up in conven- 
tional manner with a pump beam laser, the pump beam be- 
ing supplied to a non-linear crystal, e.g. a barium bo- 
rate crystal ("BBO crystal 7 '), the interlaced photons or 
"qubits" being produced by this laser irradiation. 

As has been mentioned, always a separate key is 
generated between a switching station, e.g. 1, and an 
associated subscriber station, e.g. 1.1, this being so 
even if two subscriber stations, e.g. 1.1 and 1.2, are 
associated to one and the same switching station, e.g. 
1. As such, this would not be necessary when using the 
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method of the interlaced photons, yet whenever the two 
keys are generated independently of each other, also 
the same protocols and the same methods for error cor- 
rection can be employed. 

As further mentioned, in the present communica- 
tions system it is no longer necessary for the inter- 
communicating subscriber stations to previously ex- 
change a key via a secure channel (quantum channel), 
this will much rather be effected by involving the re- 
spective associated switching station, with the switch- 
ing station - in combination with the quantum key gen- 
erated - ensuring the high degree of security during 
the communication. Before a communication is estab- 
lished between two subscriber stations, e.g. 1.1 and 
2.1 (cf. Fig. 1 and Figs. 5A and 5B, respectively, as 
well as Fig. 6), or between two subscriber stations 1.1 
and 1.2 associated to one and the same switching sta- 
tion, e.g. 1 (cf. Figs. 7A, 7B and 8), a request for 
establishing the communication is made, wherein one 
subscriber station, e.g. 1.1, triggers this phase by a 
respective request; subsequently, a secure communica- 
tion is established, and finally, the actual communica- 
tion by using the quantum key generated. 

In the following, the individual steps when a sub- 



scriber station, e.g. 1.1., requests the establishment 
of a communication with another subscriber station, 
e.g. 2.1 or 1.2, as well as the establishment of the 
secure communication will now be explained in more de- 
tail. In the individual switching stations, information 
regarding the connections depending on the concept of 
the communications system may be stored, yet in the 
switching stations, all the generated key bit sequences 
(streams) should be deleted after the secure communica- 
tion has been established and before the direct commu- 
nication between the subscriber stations using the gen- 
erated key is carried out. In the communication taking 
place using the key generated, various algorithms, such 
as from the fields of the block and current chiffres, 
may be resorted to. In any event, also in the sub- 
scriber stations, the key generated for the communica- 
tion should be discarded immediately after ending this 
communication and should not be used any longer. It 
must not be stored in the system, and, apart from the 
communications partners, it must not be made accessible 
to anyone. 

In Fig. 5A, a diagram is shown to illustrate the 
procedures when requesting the establishment of a com- 
munication, this being based on a resource-oriented 
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set-up, in detail. In contrast to a speed-oriented set- 
up (as will be explained hereinafter by way of Fig. 
5B) , in such a resource-oriented set-up all the partial 
steps are started by the "calling" subscriber station, 
e.g. 1.1, so that more communication steps have to be 
carried out than with the speed-oriented set-up. Yet it 
is possible to react to the answer of the partner, i.e. 
of the called subscriber station, e.g. 2.1, after 
transmission of the wish for a communication, and only 
then to initiate the resource-intensive set-up of the 
secure communication . 

To simplify matters, the subscriber stations will 
simply be termed "subscriber" hereinafter, and that 
subscriber station from which a request emanates, is 
also termed "initiator" or "party calling subscriber", 
whereas the called subscriber station will be termed 
"target station" . 

According to Fig. 5A, the subscriber station 1.1 
associated with the switching station 1 desires a com- 
munication with the subscriber station 2.1 associated 
with the switching station 2. The designation of the 
subscriber stations and switching stations is to be un- 
derstood without restricting its generality. 

In Fig. 5A, just as in the subsequent Figs. 5B to 



8, the vertical blocks generally indicate communication 
steps (in Fig. 5A, communication steps 21 to 28), and 
the horizontal arrows between the individual stations 
1.1, 1, 2, 2.1 indicate data transmissions (in Fig. 5A, 
data transmissions 31 to 38). In the course of the il- 
lustrated request for an establishment of a communica- 
tion, the calling subscriber 1.1 according to block 21 
first sends a request to its associated switching sta- 
tion 1, the data transmission according to arrow 31 
containing his identification as well as the desired 
partner (target station 2.1). According to block 22, 
the switching station 1 then checks the data received 
from initiator 1.1 (e.g. with regard to authentication, 
authorization, account information etc.) and in case of 
a positive result of this check, it further transmits 
the request to the switching station 2 responsible for 
the called subscriber 2.1 (which may be done directly 
as previously explained by way of Figs. 2 and 3, or via 
other switching stations) . The data transmitted accord- 
ing to arrow 32 mainly indicate the desired subscriber 
2.1 as well as also the calling subscriber 1.1. 

According to block 23, the switching station 2 
then requests its associated called subscriber 2.1 to 
communicate, transmitting a request for identification 
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according to arrow 33, to which the called subscriber 
2.1 responds according to block 24 and by transmitting 
his data back to the switching station 2 according to 
arrow 34. According to block 25, the switching station 
2 then checks the data of the called subscriber 2.1 
(regarding authentication, authorization, account in- 
formation etc.) and, if the result of the check is 
positive, it transmits the respective information re- 
garding the desired communication to the called sub- 
scriber 2.1, cf. request arrow 35 in Fig. 5A. This in- 
formation particularly contains data relating to the 
calling subscriber 1.1. According to block 26, the 
called subscriber 2.1 then positively confirms the re- 
quest, and according to arrow 36, as an answer, he re- 
turns this confirmation, including a request to commu- 
nicate, to the switching station 2 which in turn - cf. 
block 27 - transmits the answer to the switching sta- 
tion 1, cf . also arrow 37; according to block 28, the 
switching station 1 then transmits this answer to the 
calling subscriber 1.1. cf. also the data transmission 
according to arrow 38. 

Now the establishment proper of the secure commu- 
nication can occur by generating the quantum key for 
the communications session, and this will be explained 
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in the following in more detail by way of Fig. 6. Yet 
before this, that case will be described by way of Fig. 
5B, in which a request is made for a speed-oriented es- 
tablishment of a communication. 

In contrast to the resource-oriented approach, in 
case of the speed-oriented communication set-up follow- 
ing the request to communicate, the answer of the tar- 
get station 2.1 is not directly returned to the initia- 
tor 1.1, much rather the target station 2.1, answering 
to the request, takes up the active role in the estab- 
lishment of the secure communication, wherein the num- 
ber of the individual steps required can be reduced and 
the communication establishment can be accelerated. 

In the associated diagram according to Fig. 5B, 
the communication steps 21 to 25 corresponding to the 
procedure according to Fig. 5A are designated with the 
same reference numbers, and likewise the corresponding 
data transmissions are indicated by the arrows 31 to 
35. In view of the explanations given with regard to 
Fig. 5A, these steps and the data transmission, respec- 
tively, need not be discussed again. Other than in the 
procedure according to Fig. 5A, after communicating the 
data of the requesting subscriber 1.1 according to the 
data transmission, arrow 35, in the diagram of Fig. 5B 



it results now that the subscriber station 2.1 called 
positively confirms the request according to block 39 
and - instead of the calling subscriber 1.1 - the sub- 
scriber station 2.1 itself directly assumes the active 
role in the subsequent establishment of the secure com- 
munication . 

The set-up of the secure communication is sche- 
matically illustrated in Fig. 6, this set-up being re- 
spectively true for both aforementioned variants (re- 
source-oriented and speed-oriented communication set- 
up) . 

As previously explained, the request for a commu- 
nication establishment is schematically illustrated in 
Fig. 6 by the continuous arrow 40. 

Blocks 41 to 47 then again denote the communica- 
tions steps which will be explained in more detail 
hereinafter, and the arrows and double arrows 48 to 52 
denote the concrete data transmissions, i.e. particu- 
larly the transmissions of key bit sequences 
("streams") . 

In detail, according to block 41, the calling sub- 
scriber 1.1 is ready to communicate, and together with 
the switching station 1, he generates the first key bit 
sequence 48 (stream 1) via the associated quantum line 
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3 (cf. Fig. 1) , cf. also block 42 which illustrates the 
key bit sequence generation on the side of the switch- 
ing station 1. The first key bit sequence 48 is gener- 
ated on the basis of quantum mechanisms, as has been 
described . 

Independently thereof, according to blocks 43 and 
44 as well as to the double arrow 49, a second key bit 
sequence (double arrow 49) , a so-called stream 2, is 
likewise generated between the other switching station 
2 and the called subscriber 2.1 on the basis of quantum 
mechanisms and via the quantum line 3 provided there. 

According to block 45, the first switching station 
1, by means of a method agreed upon between the switch- 
ing stations 1,2, encodes the first key bit sequence 
and transmits it in encoded form to the second switch- 
ing station 2, cf. also arrow 50, which illustrates 
this transmission of the encoded first key bit se- 
quence. From the encoded first bit sequence as well as 
from the second key bit sequence (double arrow 49), ac- 
cording to block 46, the second switching station 2 
then generates a third key bit sequence (stream 3) 
which, according to arrow 51, is transmitted to the 
called subscriber 2.1. From the received third bit se- 
quence 51 and the second key bit sequence already known 
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to him (cf. arrow 49), the called subscriber 2.1 gener- 
ates the first key bit sequence according to block 47 
(cf. also arrow 48 in Fig. 6), and according to arrow 
52, this first key bit sequence then is used as key, as 
so-called "session key", for the further communication 
together with the calling subscriber 1.1. 

Figs. 7A and 7B then illustrate the special case 
that both subscriber stations, i.e. the calling sub- 
scriber station 1.1. just like the called subscriber 
station 1.2, are associated to one and the same switch- 
ing station 1. Again, reference is made to the two ba- 
sic possibilities of the resource-oriented set-up (Fig. 
7A) , and the speed-oriented set-up (Fig. 7B) ; in Fig. 
8, the set-up of the secure communication equally ap- 
plicable to both cases is illustrated. Since, as has 
been mentioned, these are special cases of the diagrams 
according to Figs. 5A, 5B and 6, corresponding refer- 
ence numbers have again been used in Figs. 7A, 7B and 8 
for the corresponding communication steps and data 
transmissions, and, as far as they correspond to each 
other, a repeated description of these communications 
steps and data transmissions is not required. In de- 
tail, when comparing Fig. 7A with Fig. 5A, it appears 
that the two switching stations 1 and 2 according to 
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Fig. 5A are to be combined to just one switching sta- 
tion 1, the data transmissions 32 and 37 being omitted 
and the communication steps 22, 23 on the one hand, and 
27, 28, on the other hand, coinciding. In these commu- 
nication steps or blocks, respectively, denoted respec- 
tively by 53 and 54, the switching station 1 checks - 
block 53 - the data of the calling subscriber 1.1 (au- 
thentication, authorization, account information etc.) 
and requests the called subscriber 1.2 to directly com- 
municate; according to block 54 (corresponding to 
blocks 27 and 28 in Fig. 5A) , the switching station 1, 
after having received the confirmation and the request 
to communicate on the part of the called subscriber 
station 1.2 (cf. arrow 36'), transmits this answer di- 
rectly to the called subscriber 1.1, cf. arrow 38. 

Otherwise, the steps correspond to those according 
to Fig. 5A, as has been mentioned, thus rendering a re- 
newed explanation unnecessary. Additionally, it should 
only be mentioned that the data transmissions in Fig. 
7A due to the fact that they occur between the called 
subscriber 1.2 and the switching station 1 (instead of 
the switching station 2 in Fig. 5A) , have been denoted 
by arrows 33 1 to 36' (instead of 33 to 36); correspond- 
ingly, also the checking step has been denoted by 25 1 
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(instead of 25) . 

Similarly, the above applies to the diagram ac- 
cording to Fig. 7B as compared to that according to 
Fig. 5B, wherein, however, in contrast to Fig. 7A, only 
the combined communications step 53 - corresponding to 
steps 22, 23 in Fig. 5B - occurs, whereas as regards 
the set-up of the communication connection on the side 
of the called subscriber (cf. block 39) when compared 
to Fig. 7A, the combined step 54 is omitted. 

Correspondingly, there results a simplification in 
the diagram according to Fig. 8 for the set-up of the 
secure communication, wherein, again, the two switching 
stations 1, 2 according to Fig. 6 coincide and, by way 
of example, the switching station 1 services both sub- 
scriber stations 1.1 and 1.2. In doing so, the steps 
42, 43 according to Fig. 6 coincide to the combined 
step 55, according to which the switching station 1 is 
ready for communication and, independently of each 
other, with both subscriber stations 1.1 and 1.2 gener- 
ates the quantum key bit sequences (''stream 1" and 
"stream 2") according to arrows 48 and 49'. By means of 
the apostrophe accompanying the reference numbers for 
the data transmissions 49, 51 and step 46, respec- 
tively, also here again it shall be indicated that com- 



parable data transmissions and processes do occur, yet 
in connection with the other switching station than 
that of Fig. 6 (1 instead of 2) . 

In the following, by means of flow charts illus- 
trated in Figs. 9 and 10, and Figs. 11 and 12, respec- 
tively, the mode of procedure used at a request for es- 
tablishing a communication, and when establishing the 
secure communication, namely when incorporating two 
switching stations (Figs. 9 and 10), and in case the 
two subscriber stations are associated to one and the 
same switching station (Figs. 11 and 12), shall be ex- 
plained in more detail by way of example. As has been 
mentioned, the subscriber stations are always associ- 
ated to certain switching stations, and a quantum key 
is generated between one switching station each and a 
subscriber station. Normally, different switching sta- 
tions will participate in the establishment of the com- 
munication and in the generation of the key, respec- 
tively, these switching stations in turn being inter- 
connected either directly or via any network structure 
desired. In an exceptional instance, as has already 
been previously explained, the subscribers involved in 
the communication to be established are associated to 
one and the same switching station, i.e. arranged in 
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one and the same "trust zone". 

At the start of the procedure for establishing a 
communication connection, it must be checked whether it 
will be possible at all and whether it will be in the 
interest of the network provider and of the two sub- 
scribers to establish a connection between the sub- 
scribers. Thus, according to Fig. 9, after a starting 
step 56 at block 57, a request for communication is 
made by assembling the required data and preparing them 
in the form of a data package. Such a request for com- 
munication may, e.g., have the following contents: 

- Initiator: the identification of the initiator, e.g. 
1.1, e.g. in the form of an unambiguous network ad- 
dress, comparable with addresses in other network pro- 
tocols, such as IP. 

- Target station: identification of the called sub- 
scriber, e.g. 2.1, who is requested to communicate. 

- Time of the beginning of the communication: with this 
information, the desired point of time at which the 
communication is effected is set. Optionally, a token 
can be defined for an immediate communication estab- 
lishment . 

- Conditions of the communication establishment: This 
information allows for the definition of tokens with 



regard to different properties of the communication. 
Examples of such tokens would be: carrier of the commu- 
nication costs (initiator, target station, other ac- 
count e.g. of an enterprise), responsibility for the 
data transmitted, priority of the communication, level 
of confidentiality, etc. 

According to block 58 this request is transmitted 
to the pertinent switching station, e.g. 1, via a pub- 
lic line. 

Incoming requests are checked by the respective 
switching station, i.e. here switching station 1. In 
particular, the data of the initiator 1.1 are checked, 
cf. block 59. Such a check could comprise the checking 
of various information, such as, e.g., the authentica- 
tion of the initiator, the authorization of the initia- 
tor to communicate (with the target station, with this 
confidentiality level, at this point of time etc.), ac- 
counting information etc.. According to block 60, a 
negative result of this check will lead to the discon- 
tinuation of the communication and to the generation of 
an appropriate response according to block 61, this re- 
sponse - according to block 62 - being returned to the 
initiator 1.1. 

In case of a positive result of the check at block 
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59, according to block 59 1 the information regarding 
the target station 2.1 will be checked. Here, the check 
could regard information like the following, for in- 
stance: availability of the target station, permission 
of the communication with the initiator, accounting in- 
formation of the target station, confidentiality level 
of the communication, etc.. If the check yields a nega- 
tive result, the communication will be discontinued 
again (block 60) , and a respective report will be 
transmitted to the initiator (blocks 61, 62). 

Otherwise, the request will be transmitted to the 
switching station 2 in charge of the target station 
2.1, cf. block 63 in Fig. 9. This switching station 2 
can be reached in various ways. Examples of this would 
be a hierarchical organization of the individual 
switching stations (cf. Fig. 2), or via a direct con- 
nection between all the switching stations (cf. Fig. 
3) . 

According to block 64, the request is received and 
processed by the switching station 2 associated with 
the target station 2.1. Within the scope of this proc- 
essing, the data of the target station 2.1 are checked, 
cf. block 65, wherein, e.g., the accounting information 
of the target station 2.1 is checked, since this infor- 
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mation may possibly only be known to the responsible 
switching station 2. Likewise, information regarding 
the degree of confidentiality or the circle of the al- 
lowed communication partners could be known to the re- 
sponsible switching station 2 only, and therefore be 
checked only in this step, block 65. A negative result 
of the check will lead to a discontinuation of the com- 
munication, block 66, and to a respective report, cf. 
block 67, which, according to block 68, will be re- 
turned to the first switching station. 

Optionally, at a positive check result, the target 
station 2.1 according to block 69 may be requested by 
the responsible switching station 2 for an authentica- 
tion. At the same time, the target station 2.1 would be 
informed about the request for a communication. Here, 
all information of the request could be transmitted, 
yet optionally they could also be transmitted only af- 
ter a successful identification, as illustrated in Fig. 
9. In the case illustrated, the data required for the 
communication will be transmitted to the target station 
2.1 only after a positive check of the identity so as 
to ensure a higher degree of security. According to 
Fig. 9, after the decision 70 for answering the re- 
quest, the identification data (according to block 71) 
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are returned to the associated switching station 2, 
where they are checked according to block 72. 

If the check of the identity of the target station 
2.1 according to block 72 is ended with a negative re- 
sult, the established communication, after having gen- 
erated a respective reply, will be terminated again, 
cf. blocks 66, 67, and once more the answer - cf. block 
68 - will be transmitted back to the calling switching 
station 1. 

Otherwise, the request according to block 73 will 
be transmitted to the target station 2.1, whereupon the 
latter, according to block 74, can agree to the estab- 
lishment of a communication or reject the same. The re- 
ply of the target station 2.1 is transmitted to the 
initiator 1.1 as well as to all the switching stations 
2, 1 involved, e.g. blocks 75, 76 as well as block 77. 
Depending on the form of communication agreed-upon 
(confidentiality level, accounting information etc.) as 
well as on the point of time agreed upon, the respec- 
tive initializations can be prepared - in case of a 
positive reply, block 75. The respective reply will be 
checked at the initiator, i.e. at the calling sub- 
scriber 1.1, according to block 78, and in a positive 
case, according to field 79 the readiness for a commu- 



nication prevails . 

In case of a negative answer, if the communication 
is discontinued according to block 80, the initiator 
1.1 can again begin to establish a communication, cf . 
request 81 in Fig. 9. By respective mechanisms on the 
part of the responsible switching station 1, here the 
parameters, such as, e.g., the maximum number of commu- 
nication attempts per time unit, costs per communica- 
tion attempt etc., may be used for controlling pur- 
poses. If the decision at the request 81 is negative, 
according to field 82 the communication attempt will 
finally be discontinued. 

In order to reach a higher level of security, it 
is also possible to encode all the communication steps 
between the communication partners involved. For this, 
both symmetrical methods such as, e.g., block codes 
(AES, IDEA etc.) and current codes (Vernam variants, 
SEAL 2.0 etc.) as well as asymmetrical methods, e.g. 
based on a central PKI, would be suitable. 

After the communication has been initialized, as 
described before, in the next step - cf. Fig. 10 - the 
required key bit sequences will be generated and the 
communication will be established. 

Together with his switching station 1, the initia- 



tor 1.1 of the communication generates a "stream 1" 
with agreed-upon quality criteria and a corresponding 
key length. In order to work with an encryption by, 
e.g., AES ("Announcing the Advanced Encryption Stan- 
dard", Federal Information Processing Standards Publi- 
cation 197, NIST) later on, a key length of 256 bits is 
agreed upon. In Fig. 10, following a start step 83, 
this is illustrated by the blocks 84 (initiation of the 
stream 1-generation) and 85 (stream 1-generation) . 

In the next step, the status of the generation 
(cf. block 86) is checked (block 87). A negative status 
will lead to a discontinuation of the communication, 
cf. field 88. 

If the status of the generation is a positive one, 
the generated stream 1 will be encoded - according to 
block 89 - by the switching station 1 of the initiator 
1.1. Encoding of the stream 1 may, e.g., be effected by 
symmetrical methods, such as AES, or by asymmetrical 
methods . 

After having received the encoded stream 1 (cf 
block 90) , the switching station 2 of the target sta- 
tion 2.1 according to block 91 initiates the generation 
of the second key bit sequence (stream 2) with the tar- 
get station 2.1, cf. block 92. Also here, respective 



quality criteria could be agreed upon, the length, 
e.g., could correspond to the length of stream 1, de- 
pending on the method chosen later on. Subsequently, 
the status (cf. block 93) is checked (block 94). In 
case of a negative status, the communication is discon- 
tinued, cf. field 95. 

In case of a positive status, the encoded stream 1 
will be decoded in the next step (block 96) , and subse- 
quently encoded with the generated stream 2 to give the 
third key bit sequence - stream 3, cf. block 97. An ex- 
ample of an encryption would be the transmissionless 
addition (XOR operation) of the two streams 1 and 2. 
For this purpose, it is necessary that both streams 1 
and 2 have the same lengths and meet quality criteria 
defined beforehand. 

According to block 98, the stream 3 generated in 
this manner is transferred to the target station 2.1 
and is decoded again there with the stream 2, cf. block 
99. The result of decoding (stream 1) will be termed 
"session key" hereinafter, and according to block 100 
it is used as key when establishing the connection. 

The target station 2.1 now starts the connection 
establishment with the initiator 1.1, cf. block 100, 
and the latter takes up the communication, cf. block 
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101. For this, again algorithms such as AES or IDEA may 
be used. Subsequently, the connection established is 
checked, cf. block 102. If this check of the communica- 
tion yields a negative result, the communication is 
discontinued, at a positive result, the communication 
is secure as defined by this method, cf . (field 103) 
field 104, and the communication can occur, using the 
session key (stream 1) . 

After a discontinuation of the communication, all 
the respective communication partners involved in the 
communication will receive a respective report. The 
system provider may define the further procedure in 
case of a discontinuation, repeating, e.g., unsuccess- 
ful steps. Whether or not a repetition is possible 
could also depend on the conditions of the communica- 
tion set-up agreed upon in the first step; for this, 
also the point of time of the beginning of the communi- 
cation agreed upon could be relevant. 

As has been mentioned, Figs. 11 and 12 again re- 
late to the instance in which the called subscriber 
station, here 1.2, is associated to the same switching 
station 1 as the calling subscriber station 1.1. When 
looking at the individual steps in the sequence regard- 
ing the request to communicate (cf. Fig. 11 as compared 
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to Fig. 9) , it can be seen that different steps regard- 
ing the data transmission between the switching sta- 
tions 1 and 2 can be omitted in Fig. 11 in comparison 
with Fig. 9, such as particularly the blocks 59 f , 63, 
64 and 68 of Fig. 9. Checking of the data of the target 
station 1.2 is effected only once, cf. block 65, just 
as a discontinuation of the communication also is pro- 
vided for only once - according to block 105, i.e. 
block 105 in Fig. 11 corresponds to the combination of 
blocks 60 and 66 in Fig. 9; similar facts hold for the 
provision of the respective reply according to block 
106 in Fig. 11 which corresponds to the combination of 
the blocks 61 and 67 in Fig. 9. Otherwise, the sequence 
is the same as in Fig. 9 so that no further explana- 
tions of Fig. 11 are required in order to avoid repeti- 
tions . 

Similarly, the above applies to the illustration 
in Fig. 12 as compared to that of Fig. 10, regarding 
the establishment of the secure communication, in 
which, due to the treatment within one and the same 
switching station 1, in Fig. 12 the blocks 89 and 90 
illustrated in Fig. 10 and regarding the encoding of 
stream 1 and its transmission to the further switching 
station are omitted. Consequently, also decoding of the 
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first stream according to block 96 in Fig. 10 is omit- 
ted in the sequence of Fig. 12, and there the first 
stream 1 can be encoded immediately with the second 
stream 2 to give stream 3, cf. blocks 97 and 98. 

Finally, by way of Fig. 13 the procedure when gen- 
erating a key bit sequence, a "stream", shall be ex- 
plained in more detail. Here, following a starting step 
107, the initiator, i.e. the calling subscriber sta- 
tion, i.e. subscriber 1.1 e.g., at the beginning of the 
generation makes a corresponding request, cf. block 108 
in Fig. 13. This request may contain different tokens, 
such as, e.g., the length of the stream to be gener- 
ated, the quality criteria of the stream, such as, 
e.g., FIPS 140-2 (cf. "Security Requirements for Cryp- 
tographic Modules", Federal Information Processing 
Standards Publication, pp. 140-2, NIST) , criteria ac- 
cording to Golomb (cf. A. J. Menezes, P. c. van Oor- 
schot, S. A. Vanstone; "Handbook of Applied Cryptogra- 
phy"; CRC Press 1996; p. 180 ff .) , linear complexity 
(cf. A. J. Menezes, P. c. van Oorschot, S. A. Vanstone; 
"Handbook of Applied Cryptography"; CRC Press 1996; p. 
198 ff.) etc. 

The request is transmitted to both communication 
partners involved and serves to initiate appropriate 

- 41 - 



steps, such as preparing the system (adjusting, self- 
test, etc.)/ recording etc.. 

The generation of the stream - cf. blocks 109, 110 
- is effected between the communication partners in- 
volved, i.e. between the initiator 1.1 and the switch- 
ing station 1, e.g., by a respective protocol, such as, 
e.g., the protocols by Bennett and Brassard (cf. C. H. 
Bennett, F. Bessette, G. Brassard, L. Salvail, J. 
Smolin, "Experimental Quantum Cryptography", J. Cryp- 
tology (1992) 5; pp. 3-28) . When a stream of the 
agreed-upon length has been generated - cf. also block 
111 - the stream is checked by one of the communication 
partners involved, e.g. by the switching station 1, ac- 
cording to block 112. Within the scope of this check, 
the quality criteria previously defined in the request 
can be checked. If the generated stream is denied 
within the scope of the check, a respective error re- 
port is generated (block 113) and sent to the second 
communication partner - here the initiator 1.1 - cf. 
block 114. 

If the stream is assessed as allowable during the 
check, a positive status report is generated according 
to block 115. The latter confirms that both communica- 
tion partners now have a key which they have generated 



together . 

On the other hand, after an error report, it may 
be open to the initiator to start a further attempt at 
generating a key, cf . block 116. Here, the system pro- 
vider could intervene in a controlling manner, e.g. by 
allowing only a certain number of attempts per time 
unit, by billing each attempt individually etc.. If the 
attempt is not repeated, a negative status report is 
generated according to block 117, confirming that a 
common key could not be generated. 

The final status is illustrated by block 118 in 
Fig. 13 and determines the further course (encoded com- 
munication, or discontinuation) . 
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